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ABSTRACT 


This  thesis  considers  the  problem  of  protecting  an  electrical  power  grid  against  a 
potential  attack  on  its  physical  infrastructure.  We  develop  a  mathematical  model,  called 
“Defense  of  Known  Interdictions”  (DKI),  that  identifies  the  optimal  set  of  components  to 
defend  in  an  electrical  power  grid  given  limited  defensive  resources.  For  a  small  test 
network,  we  show  that  defending  fewer  than  10%  of  the  buses  reduces  the  possible 
disruption  from  an  attack  by  over  20%.  Previous  research  has  developed  optimization 
models,  called  I-DCOPF,  to  find  optimal  or  near  optimal  interdiction  plans  for  electrical 
power  grids.  DKI  solution  time  is  detennined  by  I-DCOPF  solution  time.  We  develop  a 
model,  called  the  Network  Dual  Relaxation  (NDR),  to  replace  I-DCOPF  and  reduce 
solution  times.  NDR  approximates  electrical  power  grid  behavior  as  a  minimum  cost 
network  flow  and  uses  this  approximation  to  quickly  estimate  a  lower  bound  for  the  exact 
interdiction  model.  We  test  NDR  on  a  portion  of  the  North  American  power  grid  with  a 
computational  limit  of  6000  seconds.  Results  with  ten  buses  defended  show  that  NDR 
finds  solutions  that  are,  on  average,  40%  better  than  those  of  the  exact  I-DCOPF  model 
with  a  significant  reduction  in  computational  time. 
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EXECUTIVE  SUMMARY 


This  thesis  considers  the  problem  of  protecting  an  electrical  power  grid  against  a 
potential  attack  on  its  physical  infrastructure. 

The  size  and  complexity  of  the  U.S.  electrical  power  grid  increase  the  potential  of 
a  large  scale  blackout  such  as  the  one  that  struck  portions  of  the  Northeastern  United 
States  and  parts  of  Ontario,  Canada  on  14  August  2003.  This  blackout  had  an  estimated 
economic  cost  of  up  to  $10  billion,  left  some  customers  without  power  for  four  days,  and 
highlights  the  vulnerability  of  the  U.S.  electrical  power  grid.  A  well-planned,  deliberate 
attack  against  the  power  grid  could  have  a  far  greater  impact,  both  in  terms  of  disruption 
of  services  and  economic  cost.  Identifying  how  to  optimally  allocate  limited  resources  to 
protect  the  power  grid  is  the  key  to  making  it  more  resilient  to  such  attacks. 

We  develop  mathematical  models  and  algorithms  to  identify  sets  of  components 
which,  if  protected,  would  minimize  the  damage  from  a  potential,  coordinated  attack  on 
one  or  more  unprotected  components.  We  integrate  this  model  into  the  optimization 
module  of  the  Vulnerability  of  Electrical  Grids  Analyzer  (VEGA)  decision-support 
system  developed  by  researchers  at  the  Naval  Postgraduate  School. 

A  trilevel  defender-attacker-defender  (DAD)  problem  represents  a  two-person 
game  between  a  defender  who  attempts  to  minimize  potential  damage  to  a  system  by 
protecting  key  components  with  limited  defensive  resources,  and  an  attacker  who  seeks 
to  inflict  maximum  damage  by  destroying  vulnerable  components  with  limited  offensive 
resources.  With  fixed  defenses,  the  DAD  model  becomes  a  bilevel  attacker-defender 
model  (AD)  that  optimizes  interdiction  decisions  assuming  that  the  system  will  be 
operated  optimally  after  interdiction. 

This  thesis  develops  a  model  called  “Defense  of  Known  Interdictions”  (DKI),  and 
an  associated  “DKI  algorithm”  to  solve  the  DAD  problem  for  electrical  power  grids. 
Previous  research  has  developed  an  optimization  model,  “I-DCOPF,”  to  solve,  at  least 
approximately,  the  AD  model  for  this  problem.  The  DKI  algorithm  identifies  a  set  of 
electrical  components  to  protect  (defend)  by  exchanging  infonnation  with  the  I-DCOPF 
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model:  For  each  specification  of  a  protection  plan,  I-DCOPF  generates  a  sequence  of 
possible  attacks  (including  the  optimal  one).  For  these  attacks,  the  DKI  model  suggests  a 
defensive  plan.  The  I-DCOPF  -  DKI  interaction  continues  with  instances  of  protection 
and  attack  plans  until  it  can  be  demonstrated  that  the  incumbent  defensive  plan  cannot  be 
improved. 

We  integrate  the  DKI  algorithm  into  VEGA  and  test  it  using  the  IEEE  Three  Area 
1996  Reliability  Test  System  (RTS  3-Area)  network,  consisting  of  73  buses  and  120 
lines.  For  this  test  network,  we  show  that  defending  fewer  than  10%  of  the  buses  reduces 
the  possible  disruption  from  an  attack  by  over  20%.  The  DKI  algorithm  effectively 
solves  the  DAD  problem  for  electrical  power  grids;  however,  solving  I-DCOPF  requires 
the  majority  of  the  computational  time  in  the  algorithm,  over  99%  of  the  time  for  all 
scenarios  tested.  This  motivates  the  next  part  of  the  thesis. 

We  explore  one  method  to  avoid  the  long  solution  times  associated  with  I- 
DCOPF.  Currently,  I-DCOPF  is  solved  using  a  decomposition-based  algorithm  in  which 
a  coordinating  (master)  problem  and  an  operating  (sub-)  problem  yield  upper  and  lower 
bounds,  respectively,  on  the  optimal  solution  to  I-DCOPF.  By  relaxing  the  electrical 
impedance  constraints  in  the  operating  problem,  we  can  approximate  power-grid 
behavior  as  a  minimum  cost  network  flow.  Using  this  approximation,  we  develop  a 
model  called  Network  Dual  Relaxation  (NDR)  that  quickly  generates  a  solution  that  is 
often  very  close  to  the  optimal  solution  to  the  original  I-DCOPF.  We  integrate  this  model 
into  VEGA  and  carry  out  tests  on  the  RTS  3-Area  network.  For  all  cases  considered, 
NDR  exactly  predicts  the  optimal  interdiction  in  less  than  5%  of  the  time  required  by  the 
exact  I-DCOPF  model.  We  also  test  NDR  on  a  portion  of  the  North  American  power 
grid  consisting  of  5,000+  buses  and  6000+  lines.  With  ten  buses  defended,  and  with  a 
6000  second  time  limit,  NDR  finds  solutions  that  are,  on  average,  40%  better  than  those 
of  the  exact  I-DCOPF  model  with  a  significant  reduction  in  computational  time. 
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I.  INTRODUCTION 


Electrical  power  is  a  vital  asset  to  the  United  States.  This  thesis  considers  the 
problem  of  protecting  an  electrical  power  grid  from  a  potential  attack  on  its  physical 
infrastructure.  Such  an  attack  against  an  electrical  generation  and  transmission  grid  in  the 
U.S.  could  have  severe  consequences.  Our  objective  is  to  develop  and  implement 
mathematical  models  and  algorithms  that  optimally  allocate  limited  defensive  resources. 
In  particular,  these  models  identify  sets  of  components  which,  if  protected  and  thereby 
made  invulnerable,  would  minimize  the  damage  from  a  coordinated  attack  on  a  group  of 
unprotected  components.  In  order  to  accomplish  this  task,  we  extend  previous  research 
that  seeks  to  identify  critical  components,  from  both  an  attacker’s  and  defender’s 
perspective. 

A.  VULNERABILITY  OF  THE  U.S.  ELECTRICAL  POWER  GRID 

Electricity  powers  everyday  life,  and  modem  society  depends  on  reliable 
generation,  transmission,  and  distribution  of  electrical  power.  The  National  Strategy  for 
the  Physical  Protection  of  Critical  Infrastructures  and  Key  Assets  [U.S.  Department  of 
Homeland  Security  2003]  emphasizes  that,  “were  a  widespread  or  long-term  disruption  of 
the  power  grid  to  occur,  many  of  the  activities  critical  to  our  economy  and  national 
defense... would  be  impossible.” 

Disruptions  in  electrical  power  service  can  come  from  various  sources.  On  14 
August  2003,  a  combination  of  weather,  equipment  failure,  and  operator  error  resulted  in 
a  massive  blackout  over  large  portions  of  the  Northeastern  United  States  and  parts  of 
Ontario,  Canada.  Some  locations  did  not  have  power  restored  for  four  days.  The 
estimated  cost  of  the  blackout  was  between  $4  and  $10  billion  to  the  U.S.  and  $2  billion 
to  Canada  [U.S. -Canada  Power  System  Outage  Task  Force  2004],  Although  human  error 
contributed  significantly  to  its  final  extent,  the  blackout  began  inconspicuously  when 
high  voltage  transmission  lines  contacted  overgrown  trees.  This  incident  highlights  the 
vulnerability  of  the  electrical  power  grid  and  the  economic  consequence  of  disruptions  of 
service. 
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Electrical  power  providers  continuously  monitor  their  transmission  grids  to  limit 
the  likelihood  of  large-scale  blackouts.  In  electrical  power  engineering,  system  security 
standards  such  as  “N-l”  and  “N-2”  entail  operating  the  transmission  grid  so  that  the  loss 
of  one  or  two  components,  respectively,  does  not  cause  a  cascading  blackout  [Wood  and 
Wollenberg  1996].  These  standards  ignore  malicious  attacks  that  could  cause  the  failure 
of  more  than  two  components,  and  they  also  ignore  the  loss  of  a  multi-component 
systems,  such  as  substations,  which  may  have  several  buses  and  transformers  in  a  single 
geographic  location. 

With  the  increased  threat  of  terrorist  activity,  electric  companies  must  face  the 
possibility  of  deliberate,  intelligent  attacks  against  the  transmission  grid.  In  the  National 
Transmission  Grid  Study,  the  U.S.  Department  of  Energy  [2002]  states  that  “new 
technologies  and  operating  practices  are  now  needed  to  protect  the  transmission  system 
against  deliberate,  coordinated  attacks.”  Accordingly,  the  North  American  Electric 
Reliability  Corporation  (NERC),  the  organization  tasked  with  improving  the  reliability 
and  security  of  the  power  system,  has  established  a  Critical  Infrastructure  Protection 
Committee  to  assess  the  cyber  and  physical  security  of  the  electric  transmission  grid. 

The  immense  size  of  the  U.S.  electrical  transmission  grid  makes  physical 
protection  of  all  its  components  impossible.  Certain  components  of  the  transmission  grid 
such  as  generation  plants  and  control  centers  are  staffed  continuously  and  have  multiple 
layers  of  physical  security.  Other  critical  components,  such  as  substations,  are  routinely 
unattended,  and  therefore  more  vulnerable  to  attack.  Many  substations  are  considered 
critical  assets,  meaning  their  loss  “would  have  a  significant  impact  on  the  ability  to  serve 
large  quantities  of  customers  for  an  extended  period  of  time”  [NERC  2004],  Proper 
identification  of  the  sets  of  most  critical  components  is  a  necessary  step  to  ensure  that 
limited  resources  are  optimally  allocated  to  enhance  the  reliability  and  security  of  the 
U.S.  power  grid. 

B.  SYSTEM  INTERDICTION  AND  DEFENSE 

In  a  “system-defense  model,”  a  “defender”  seeks  to  limit  the  amount  of  damage 
an  aggressor  can  inflict  by  attacking  the  defended  system.  The  defender  uses  limited 
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defensive  resources  to  protect  certain  system  components,  making  them  less  vulnerable  to 
attack.  In  order  to  properly  identify  the  crucial  components  to  defend,  the  defender  must 
understand  how  a  potential  aggressor  would  attack  or  “interdict”  the  system.  System 
interdiction  refers  to  the  attacker’s  role.  The  “attacker”  seeks  to  inflict  maximum  damage 
by  destroying  system  components  using  limited  offensive  resources. 

The  system-defense  problem  can  be  viewed  as  a  three-stage,  two-person  game 
between  the  defender  and  attacker.  First,  the  defender  hardens  or  protects  certain  system 
components.  Next,  the  attacker,  knowing  which  components  are  protected  and  which  are 
not,  interdicts  (attacks  and  destroys)  unprotected  components  in  order  to  inflict  maximum 
damage.  Finally,  the  defender  operates  the  undamaged  portion  of  the  system  in  the  most 
efficient  manner.  In  an  electrical  grid,  this  will  typically  mean  minimizing  the  post¬ 
attack  “disruption,”  i.e.,  unmet  demand  for  electricity.  (Disruption  can  also  include 
increased  costs  for  meeting  any  or  all  demand.)  As  described,  the  defender  has  two  roles: 
to  physically  protect  the  system,  and  to  operate  the  system  efficiently.  Although  these 
roles  are  often  filled  by  distinct  entities,  they  share  a  common  goal  and  can  be  viewed  as 
a  single  player  in  this  two-person  game. 

Mathematical  models  can  be  used  to  solve  this  system-defense  game.  Brown, 
Carlyle,  Sahneron,  and  Wood  [2006]  propose  a  trilevel  defender-attacker-defender 
(DAD)  model  to  find  optimal  sets  of  components  to  defend,  given  worst-case  interdiction 
and  optimal,  post-interdiction,  system  operation.  With  fixed  defenses,  the  DAD  model 
becomes  a  bilevel  attacker-defender  (AD)  model  that  optimizes  system  interdiction  given 
optimal,  post-interdiction,  system  operation. 

The  basic  model  for  the  AD  and  DAD  problems  has  the  defender  fill  the  role  of 
system  operator.  Here,  the  defender  seeks  to  minimize  “cost”  by  efficient  operation  of 
the  system.  The  defender’s  problem  (D)  can  be  expressed  as: 

(D)  mincy 

where  c  is  a  vector  of  component  operating  costs  and  y  is  the  activity  level  for  each 
component.  All  operating  constraints  are  represented  byveT.  “Activity  level”  will 
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represent  current  flow,  or  generation,  or  level  of  unmet  demand  in  our  electric-power 
problem,  Costs  will  include  costs  of  generation  as  well  as  penalties  for  unmet  demand. 


The  attacker  seeks  to  inflict  maximum  damage  by  interdicting  components  in  the 
system.  This  damage  can  be  viewed  as  additional  costs  that  the  defender  must  incur  by 
operating  the  interdicted  system.  The  bilevel  attacker-defender  (AD)  problem  is: 


(AD) 


max  mm  cy 

xeX  yeF(x) 


where  x  is  a  binary  vector  that  defines  which  system  components  are  interdicted, 
xeX  represents  the  set  of  constraints  on  the  attacker’s  resources  (and  the  fact  that  a'  must 
be  binary),  and  Y  (x)  represents  feasible  operating  conditions  for  the  defender  after 

attack  x.  AD  assumes  that  the  attacker  has  perfect  infonnation  regarding  the  system, 
including  how  the  defender  will  operate  the  system  after  any  given  attack.  This  is  a 
reasonable,  conservative  assumption  for  the  defender. 

The  final  step  is  to  protect  key  components  in  the  system,  making  them 
invulnerable  to  attack.  (Defenses  that  imbue  only  partial  invulnerability  can  also  be 
modeled  with  this  paradigm.)  This  level  of  defense  creates  the  following  trilevel 
defender-attacker-defender  model: 


(DAD) 


min  max  nun  cv, 

wetV  xeX(w)  ysY(x) 


where  w  is  a  binary  vector  indicating  which  components  are  defended  (protected), 
weJV  is  the  set  of  constraints  imposed  on  the  defender,  and  X[w)  is  the  set  of  feasible 
attacks  after  defense. 


1.  Interdicting  Electrical  Power  Grids 

The  bilevel  AD  model  can  be  used  to  find  optimal  attacks  on  electrical  power 

grids.  Salmeron  et  al.  [2003,  2004-1,  2004-11,  2005,  2007],  Alvarez  [2004],  Carnal 

[2005],  and  Schneider  [2005]  have  applied  these  techniques  to  study  power-grid 

interdiction,  where  the  aggressor  attacks  components  in  the  grid  to  maximize  disruption. 

Disruption  may  be  expressed  as  “total  load  shed”  which  is  total  unsatisfied  demand  for 

electricity  expressed  in  terms  of  either  power  or  energy,  or  as  a  cost  with  a  dollar  value 
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per  unit  of  load  shed.  The  latter  case  is  desirable  if  the  cost  of  load  shed  varies  among 
buses  and/or  customer  sectors.  For  example,  shedding  power  from  a  hospital  could  be 
deemed  more  costly  than  from  a  residential  area.  (Actually,  “total  disruption  cost”  will 
also  include  increased  generation  costs  resulting  from  interdiction,  but  these  will 
normally  be  much  smaller  than  the  penalty  costs  for  unmet  demand  and  can  be  ignored 
for  the  most  part.) 

a.  DCOPF 


The  basic  operating  model  (the  “D”  model  in  “AD”)  is  known  as  the 
Direct  Current  Optimal  Power  Flow  model  (DCOPF).  This  model  minimizes  the  total 
cost  of  operating  an  electrical  power  grid  by  proper  selection  of  power  generation  levels. 
Total  cost  is  defined  as  the  cost  of  generating  electricity  plus  a  penalty  cost  for  load  shed. 
Power  generation  levels  determine  the  amount  of  load  shed  and  the  phase  angle  at  each 
bus,  which  determines  the  amount  of  power  each  line  carries. 


Appendix  A.l  provides  the  fonnulation  for  DCOPF.  That  formulation 
includes  DC  lines  which  are  omitted  from  the  following  discussion  for  brevity.  The 
objective  function,  Equation  A.  1  is  shown  below: 


min 

pGen  pLine 


,S,0 


zvr 


+  ZZ  fA 


The  first  tenn  represents  the  cost  of  generating  power;  the  second  represents  the  cost  of 
load  shed. 


Equation  A. 3  is  the  balance-of-flow  constraint: 

ZC" -  Z  pi‘"  +  Z  piL"‘ = ZK -4)  v/ 

g  /|o(/)=i  l\d(l)=i  c 

This  states  that  for  each  bus  i,  the  amount  of  power  generated  at  the  bus  plus  the  net 
power  inflow  at  the  bus  equals  satisfied  demand  less  unsatisfied  demand  (total  demand 
minus  load  shed). 

The  electrical  impedance  constraint,  Equation  A. 2,  is  shown  below: 
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V/ 


This  equation  relates  the  power  on  a  line  to  that  line’s  impedance  through  its  susceptance, 
B \ ,  and  the  change  in  phase  angle,  0 ,  across  the  line. 

Our  DCOPF  model  is  a  simplified,  linear  representation  of  the  true 
behavior  of  an  electrical  power  grid.  DCOPF  only  models  active  power  flow,  neglecting 
reactive  power  and  transmission  losses.  Also,  DCOPF  assumes  that  changes  in  voltage 
magnitudes  have  minimal  effect  on  real  power,  and  can  be  neglected.  (Full  power  flow 
models  exist  that  account  for  reactive  power  flow,  transmission  losses,  and  voltages 
drops;  however,  these  models  are  nonlinear  and  are  much  more  difficult  to  solve.) 
Despite  the  approximations,  DCOPF  is  expected  to  yield  sufficiently  accurate  solutions 
for  AD  and  DAD  problems  for  our  electric-power  applications:  Wood  and  Wollenberg 
[1996]  state  that  “DC  power  flow  is  useful  for  rapid  calculations  of  real  power  flows,  and 
...is  very  useful  in  security  analysis  studies.”  Overbye,  Cheng,  and  Sun  [2004]  and 
Purchala,  Meeus,  Van  Dommelen,  and  Belmans  [2005]  conclude  that  DCOPF  is  an 
adequate  tool  for  modeling  real  power  flow,  noting  that  the  largest  deviations  from  full 
power  flow  models  occur  on  lightly  loaded  lines.  But,  lightly  loaded  lines  will  probably 
have  only  small  effects  in  the  AD  and  DAD  problems  for  electric  power.  Alvarez  [2004] 
compares  DCOPF  and  a  full  AC  power  flow  model  on  an  electric  grid  before  and  after 
interdiction,  also  concluding  that  DCOPF  yields  an  acceptable  approximation. 

Note:  Hereafter,  except  where  specified,  “D,”  “AD”  and  “DAD”  all  refer 
to  the  electric-power  versions  of  these  generic  models. 

b.  I-DCOPF 

Sahneron  et  al.  [2004-1]  develop  an  interdiction  model  known  as  I- 
DCOPF.  This  model  solves  the  AD  problem  with  DCOPF  used  as  the  model  for  system 
operation.  Appendix  A.2  contains  the  formulation  for  I-DCOPF.  Various  techniques 
have  been  suggested  for  solving  I-DCOPF  including  heuristics,  conversion  to  a  mixed- 
integer  program  (MIP),  and  decomposition  methods. 
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I-DCOPF  is  a  max-min  problem  and  cannot  be  solved  using  standard 
mathematical-programming  techniques.  Sahneron  et  al.  [2004-11]  present  a  method  for 
converting  I-DCOPF  into  a  standard  maximizing  MIP,  by  first  linearizing  and  then  taking 
the  dual  of  the  DCOPF  problem  with  additional  interdiction  variables.  Although  this 
formulation  can  solve  I-DCOPF  on  small  test  grids,  the  MIP  formulation  is  intractable  for 
realistically  sized  networks. 

Brown  et  al.  [2006]  and  Sahneron  and  Wood  [2007]  present  a  Benders 
decomposition-based  algorithm  for  solving  I-DCOPF.  The  Benders  subproblem  is  the 
DCOPF  model  that  is  first  solved  for  the  non-interdicted  network.  The  master  problem 
then  finds  an  upper  bound  on  the  interdiction  problem  by  optimistically  estimating  the 
amount  of  disruption  the  attacker  can  inflict  based  on  the  DCOPF  solution.  The  master 
problem  (MP)  can  be  stated  as: 

(MP)  max  z 

z,5 

s.t.  z<f(Sp)  +  g(p,S )  for p  = 

where  p  is  the  iteration  number;  8P  is  the  interdiction  plan  for  the  /;-th  subproblem  ( 8 
replaces  x  in  this  AD  model  to  avoid  confusion  with  the  electrical  engineering  use  of  “x” 
which  typically  represents  reactance);  f(8p )  is  the  minimum  total  system  operating  cost 

(generation  plus  penalty  costs)  given  interdiction  plan  8P ;  and  g(p,8 )  is  an  upper 
bound  on  the  amount  of  additional  damage  that  can  be  inflicted  if  interdiction  plan  8 
occurs  after  8P  .  In  particular,  g  ( p,  8P  j  =  0 ,  so  the  p- th  constraint  (“Benders  cut”) 

evaluates  f{dp  j  exactly  if  8  =  8P .  Otherwise,  the p- th  cut  overestimates  disruption  and 

therefore  MP  yields  an  upper  bound  on  the  optimal  interdiction  plan.  The  master 
problem  also  includes  interdiction  resource  constraints,  8  e  A ,  and  solution-elimination 
constraints  (not  listed)  which  ensure  that  previously  explored  interdiction  plans  are  not 
repeated. 

Solving  MP  produces  an  interdiction  plan,  8P  ,  and  an  upper  bound  on  the 
optimal  cost,  zp .  The  DCOPF  subproblem  is  then  re-solved  with  the  given  set  of 
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interdicted  components,  and  another  cut  is  added  to  MP  before  solving  it  again.  This 
process  is  repeated  until  the  lower  bound  (from  the  most  disruptive  interdiction  plan 
evaluate  through  the  subproblem)  and  the  upper  bound  (from  the  master  problem) 
converge. 

C.  THESIS  OBJECTIVES 

The  purpose  of  this  thesis  is  to  develop  a  new  mathematical  model  to  solve  the 
DAD  problem  for  electrical  power  grids  and  integrate  this  model  into  the  Vulnerability  of 
Electrical  Grids  Analyzer  (VEGA)  optimization  module.  VEGA  is  a  decision-support 
system  [Salmeron  et  al.  2005;  Wood  and  Salmeron,  2006;  Salmeron  and  Wood,  2007] 
that  implements  AD  algorithms  for  electrical  power  grids.  It  also  implements  the 
prototype  DAD  algorithm  described  by  Brown  et  al.  [2006]. 

We  also  explore  a  method  to  reduce  the  solution  time  for  the  I-DCOPF  model. 
Successful  solution  of  the  DAD  problem  depends  on  rapid  solution  of  AD.  We  evaluate 
how  the  solution  to  AD  can  be  expedited  by  relaxing  the  impedance  constraints  in  I- 
DCOPF.  This  enhancement  is  integrated  into  VEGA  as  an  added  functionality. 

D.  THESIS  OUTLINE 

Chapter  II  introduces  a  model  and  solution  algorithm  entitled  “Defense  of  Known 
Interdictions”  (DKI)  that  solves  the  DAD  problem  for  electrical  power  grids.  Chapter  III 
develops  and  tests  a  model  called  “Network  Dual  Relaxation”  (NDR)  that  improves  I- 
DCOPF  solution  time.  Chapter  IV  presents  conclusions  and  recommendations. 
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II.  DEFENSE  OF  KNOWN  INTERDICTIONS 


A.  INTRODUCTION  TO  DKI 

The  generic  DAD  model  defines  a  type  of  a  two-person  game.  Israeli  [1999] 
develops  a  nested  algorithm  for  solving  DAD  when  the  inner  “D”  represents  a  standard 
shortest-path  problem  on  a  network.  In  this  algorithm,  the  defender  proposes  a  set  of 
defended  components  (network  arcs)  and  the  attacker  solves  the  corresponding  AD 
problem  to  find  an  interdiction  set  that  maximizes  disruption  (increase  in  shortest-path 
length)  to  the  defended  system.  The  defender  then  responds  to  block  the  attacker’s 
interdiction  plan,  if  possible,  but  he  is  not  allowed  to  repeat  any  previous  defense  plan. 
The  algorithm  identifies  an  optimal  defense  plan  when  the  restricted  lower  bound  from 
the  defense  master  problem  exceeds  the  value  of  the  best  interdiction  plan  found. 

This  section  develops  a  new  model,  called  “Defense  of  Known  Interdictions” 
(DKI),  and  uses  that  in  a  new  iterative  algorithm,  denoted  ADKI,  to  find  optimal 
defensive  sets  for  the  electric-power  DAD.  At  each  iteration  of  the  algorithm,  the 
attacker  proposes  an  interdiction  plan  consisting  of  a  set  of  interdicted  components.  The 
resulting  cost  (implicitly,  disruption)  is  evaluated  by  the  basic  operating  (D)  model.  In 
order  to  “prevent”  a  given  interdiction  plan,  the  defender  must  protect  at  least  one 
component  from  the  corresponding  interdiction  set.  DKI  uses  this  fact  to  find  an  optimal 
defensive  set  based  on  all  of  the  interdiction  plans  proposed  so  far. 

If  all  of  the  possible  interdiction  plans  (and  their  disruption  levels)  can  be 
explicitly  enumerated,  then  finding  the  best  defense  is  relatively  easy.  At  least  one 
component  from  the  most  damaging  (costly)  interdiction  plan  must  be  defended,  and  then 
one  from  the  second  most  damaging  interdiction  plan,  and  so  on.  This  is  repeated  until 
the  defensive  resource  is  depleted.  This  principle  is  demonstrated  in  the  following 
example. 
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Figure  1  shows  a  simple,  six-bus  electrical  grid.  Bus  and  line  parameters  are 
included  in  Tables  1  and  2,  respectively.  Assuming  the  attacker  will  interdict  exactly  two 
buses,  fifteen  possible  interdiction  plans  exist.  These  are  enumerated  in  Table  3. 


B06 


Figure  1.  Six-bus  electrical  grid  to  demonstrate  ADKI.  Buses  are  labeled  B01-B06. 


Bus 

Name 

Demand  d, 
(MW) 

Shedding 
Cost  ft 
($/MWh) 

Generation 
Capacity  Pgen 
(MW) 

Generation 
Cost  hg 
($/MWh) 

B01 

10 

100 

25 

1.0 

B02 

25 

100 

60 

1.0 

B03 

15 

100 

0 

0.0 

B04 

10 

100 

15 

1.0 

B05 

15 

100 

0 

0.0 

B06 

15 

100 

0 

0.0 

Table  1 .  Bus  data  for  the  six-bus  grid  in  Figure  1 .  See  usage  of  parameters  in  the  DCOPF 
model  in  Appendix  A. 
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Line  / 
Name 

Origin 
Bus  o{I) 

Destination 
Bus  d(I ) 

Capacity  P/Jne 
(MW) 

Resistance  r, 
(per  unit) 

Reactance  x, 
(per  unit) 

L12 

B01 

B02 

60 

0.003 

0.014 

L16 

B01 

B06 

25 

0.033 

0.127 

L23 

B02 

B03 

30 

0.050 

0.192 

L34 

B03 

B04 

30 

0.023 

0.088 

L45 

B04 

B05 

30 

0.014 

0.061 

L56 

B05 

B06 

25 

0.010 

0.074 

Table  2.  Line  data  for  the  six-bus  grid  in  Figure  1 .  See  usage  of  parameters  in  the  DCOPF 
model  in  Appendix  A. 


Interdiction 

Shed 

Cost 

Interdiction 

Shed 

Cost 

Set 

(MW) 

($) 

Set 

(MW) 

($) 

{B0 1 ,  B02} 

75 

7515 

{B03,  B06} 

40 

4050 

{B02,  B04} 

65 

6525 

{B04,  B06} 

40 

4050 

{B02,  B06} 

65 

6525 

{B03,  B04} 

30 

3060 

{B01,  B03} 

50 

5040 

{B03,  B05} 

30 

3060 

{B01,  B04} 

50 

5040 

{B05,  B06} 

30 

3060 

{B02,  B03} 

50 

5040 

{B0 1 ,  B06} 

25 

2565 

{B02,  B05} 

50 

5040 

{B04,  B05} 

25 

2565 

{B01,  B05} 

40 

4050 

Table  3.  All  possible  interdiction  plans  for  the  six-bus  grid  in  Figure  1  assuming  the 

attacker  interdicts  exactly  two  buses.  Resulting  disruption  in  terms  of  load  shed 
and  total  cost  is  included.  Duration  of  the  study  is  one  hour.  That  is,  costs  are 
evaluated  only  over  the  first  hour  after  interdiction. 

Inspection  of  Table  3  shows  that  the  defender  must  defend  either  B01  or  B02  (or 
both)  to  prevent  the  most  severe  attack.  However,  B02  is  the  more  intuitive  choice 
because  it  also  prevents  the  second  and  third  most  severe  attacks.  With  B02  defended, 
the  optimal  interdiction  set  is  either  {B01,  B03}  or  {BO  1 ,  B04}  with  a  resulting  total  cost 
of  $5040.  Defending  B01  instead  of  B02  results  in  two  possible  interdiction  sets  with 
$6525  of  total  cost,  {B02,  B04}  and  {B02,  B06}.  Similarly,  it  is  apparent  that  the  best 
two-bus  defense  is  B01  and  B02  with  a  resulting  total  cost  of  $4050,  and  the  best  three- 

bus  defense  is  B01,  B02,  and  B06  with  a  $3060  total  cost. 
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Scaparra  and  Church  [2006]  utilize  this  concept  of  interrupting  an  interdiction 
plan  by  defending  at  least  one  component  to  defend  a  service-supply  network.  Their 
network  contains  p  facilities  and  a  set  of  costumers,  with  each  costumer  serviced  from  the 
nearest  facility.  The  purpose  of  defending  the  network  is  to: 

Identify  the  set  of  q  facilities  to  secure  or  “fortify”,  so  that  after  interdiction,  the 
remaining  system  operates  as  efficiently  as  possible. 

Likewise,  they  define  the  interdiction  problem  as: 

Of  the  p  existing  locations  of  supply,  find  the  subset  of  r  facilities,  which  when 
removed,  yields  the  highest  level  of  weighted  distance. 

The  algorithm  they  develop  is  based  on  the  following  observation: 

Let  /  be  the  set  of  r  interdictions  in  the  optimal  solution  to  the  lower-level 
(interdiction)  problem  without  fortification.  Then  the  optimal  set  of  q 
fortifications  must  include  at  least  one  of  the  r  facilities  in  I. 

Scaparra  and  Church  apply  this  observation  recursively  using  an  enumerative, 
tree-search  algorithm  to  solve  for  the  optimal  defense.  This  algorithm  finds  the  optimal 
interdiction  plan  for  the  undefended  network  (r  interdicted  components),  which  becomes 
the  root  node.  One  branch  is  defined  for  each  interdicted  component,  and  that  component 
is  defended.  Next,  the  optimal  interdiction  is  evaluated  for  each  of  the  r  defended 
networks,  and  again  r  branches  are  defined  for  each  node.  This  continues  until  all 
possible  defenses  are  considered  (q  defended  components  results  in  a  tree  depth  of  q+l). 

Figure  2  illustrates  this  concept  for  the  six-bus  grid  assuming  two  defended  and 
two  interdicted  components  (q  =  r  =  2).  Interdiction  sets  are  represented  with  brackets, 
such  as  {BO  1 ,  B02},  and  defensive  sets  use  parentheses,  such  as  (B01).  The  notation 

[B02,  BOlj  shows  that  bus  B02  is  defended  and  B01  is  not.  The  optimal  defense, 

optimal  attack  on  the  defended  network,  and  resulting  total  cost  correspond  to  the  node 
with  the  lowest  total  cost  (defend  (B01,  B02),  attack  {B03,  B06},  total  cost  $4050). 
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{BO  1 ,  B02} 
$7515 


Figure  2.  Enumeration  tree  to  solve  the  six-bus  example  of  Figure  1  assuming  two  defended 
and  two  interdicted  components.  Each  node  shows  the  optimal  interdiction  and 
resulting  disruption  in  terms  of  total  cost. 

B.  THE  DKI  MODEL 

The  DKI  model  uses  the  same  concept  of  protecting  at  least  one  component 
among  those  in  any  incumbent  interdiction  plan  in  order  to  disrupt  such  an  attack. 
However,  instead  of  considering  only  one  worst-case  attack  at  a  time  (see  Figure  2),  we 
simultaneously  examine  multiple  interdiction  plans  including  (but  not  limited  to)  the 
incumbent  optimal  to  determine  the  recommended  defensive  plan.  In  Section  I.l.b  we 
described  the  decomposition-based  algorithm  to  solve  I-DCOPF  (AD),  showing  that  the 
process  generates  Benders  cuts  that  correspond  to  feasible  interdiction  plans,  in  addition 
to  the  optimal  one.  DKI  explicitly  uses  all  known  interdiction  plans  to  provide  a  tentative 
defensive  plan. 
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In  the  following  formulation,  we  express  disruption  through  total  operating  cost, 
without  loss  of  generality.  (Disruption  is  simply  interdicted  operating  cost  less  the 
nominal  operating  cost,  which  is  a  constant.)  The  DKI  model  finds  an  optimal  defense 
against  a  set  of  known  interdiction  plans,  which  will  be  form  a  subset  of  all  possible  plans 
in  practical  applications.  The  DKI  model  formulation  follows: 


Indices  and  Index  Sets: 


p  e  P  Subset  of  all  possible  interdiction  plans 

c  e  C  Components  that  may  be  interdicted 

Parameters  and  [units]  if  applicable: 


Damagep 

DC, 

DR 


Decision  Variables: 


Minimum  operating  cost  given  interdiction  plan  p  [$] 
Cost  to  defend  component  /'  [$] 

Total  defensive  resource  [$] 

1  if  component  c  is  interdicted  by  plan  p , 

0  otherwise 


z 

w, 


Objective  value 

1  if  component  c  is  defended,  0  otherwise 


Formulation: 


(DKI)  min  z 

z,w 


s.t. 


z  >  Damage 


f  \ 


l-Yt?  w 

L-t  c.p  C 

\  c  y 


Y_DCcwt<DR 


wc  e  {0,1}  VceC 
z  >  0 


\/p  e  P 


(2.1) 

(2.2) 
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The  objective  function,  z,  represents  the  amount  of  damage  caused  by  the  most 
severe  interdiction  plan  that  cannot  be  defended  against.  If  at  least  one  component  from 
every  interdiction  plan  p  e  P  is  defended  ( 8 c  p  =1  and  wc  =  1  for  at  least  one  c  in  every 

p),  then  constraints  (2.1)  imply  z>ap  where  ap<  0  for  all  peP,  and  the  non¬ 
negativity  of  z  implies  the  optimal  objective  value  is  z  =  0 .  If  none  of  the  components 
from  a  given  interdiction  plan  p  are  defended,  constraint  (2.1)  implies  z>  Damage  . 

Constraint  (2.2)  is  the  defensive-resource  constraint. 

The  DKI(T>)  model  produces  an  optimal  defensive  plan  against  the  known 
interdiction  plans  peP.  The  optimal  objective  value  gives  the  value  of  the  worst 
interdiction  that  cannot  be  defended  with  the  given  resources.  This  is  a  lower  bound  on 
the  optimal  objective  value  to  DAD  because  P  is  only  a  subset  of  all  possible  interdiction 
plans.  DKI  can  be  applied  in  an  iterative  algorithm  (ADKI)  to  solve  DAD.  Constraints 
of  the  form  w^wp  for  all  p  e  P  are  added  to  prevent  previous  defensive  plans  from 

recurring.  Since  wp  is  binary,  these  elimination  constraints  are  easy  to  implement. 

DKI  solves  quickly.  Since  only  the  components  for  which  interdiction  plans  have 
been  generated  are  considered,  this  mixed-integer  problem  is  smaller  than  that  of  the 
master  problem  in  the  I-DCOPF  model,  which,  by  construction,  is  very  dense.  The  size 
of  the  problem  can  be  reduced  further  by  only  including  proposed  interdictions  with  cost 
above  a  given  threshold.  For  example,  only  proposed  interdictions  with  damage  greater 
than  the  incumbent  lower  bound  on  the  DAD  model  need  be  considered. 

Figure  3  shows  a  flowchart  of  the  ADKI  process.  The  first  step  is  to  initialize  the 
lower  bound  (LB)  to  zero,  empty  the  set  of  interdiction  plans  P,  and  solve  I-DCOPF  for 
the  undefended  network.  The  result  is  the  worst-case  attack  on  the  network,  and  this 
becomes  the  initial  upper  bound.  The  next  step  is  to  solve  DKI  (P) .  This  yields  a 
recommended  defense  plan  for  the  given  set  of  interdiction  plans  and  the  cost  of  the  most 
severe  attack  that  cannot  be  defended,  which  becomes  the  updated  lower  bound.  The 
defender  cannot  lower  his  cost  below  this  bound  without  additional  resources.  With  the 
recommended  defense  plan  from  DKI  (P) ,  the  next  step  is  to  find  the  optimal  attack 


15 


against  the  defended  network.  If  the  resulting  cost  improves  the  upper  bound,  the  bound 
is  adjusted  and  that  defense  plan  becomes  the  incumbent  solution.  The  upper  bound 
represents  the  maximum  damage  that  the  attacker  can  cause  without  using  additional 
resources.  The  upper  and  lower  bound  are  now  compared  to  each  other  for  convergence, 
providing  a  termination  criterion.  The  DKI  algorithm  is  solved  to  find  a  new  defensive 
plan,  enforcing  the  constraint  w  ^  wp  for  all  p  eP ,  and  the  above  steps  are  repeated. 

This  algorithm  eventually  produces  an  optimal  defensive  plan,  a  corresponding  optimal 
attack  on  the  defended  network,  and  the  resulting  costs. 
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Figure  3.  Flowchart  of  DKI  algorithm  to  solve  DAD  problem.  Optimal  defensive  plan  is 

* 

w  . 
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c. 


COMPUTATIONAL  RESULTS 


We  have  implemented  the  DKI  algorithm  using  the  Xpress-MP  2006 
mathematical  programming  system  on  a  3.72  GHz  desktop  computer  with  3GB  of  RAM. 
The  master  problem  for  the  I-DCOPF  is  exported  and  solved  using  CPLEX  10.0.  The 
master  problem  given  by  DKI,  and  the  I-DCOPF  subproblem,  are  solved  by  the  Xpress- 
Optimizer. 

The  test  network  is  the  IEEE  Three  Area  1996  Reliability  Test  System  (RTS  3- 
Area)  [IEEE  1999].  This  test  set  consists  of  73  buses,  99  generators,  120  lines,  and  6 
substations.  Substations  are  not  explicitly  identified  in  the  RTS  test  data,  but  are  defined 
as  a  set  of  buses  interconnected  by  transformers.  This  definition  allows  the  attacker  to 
simultaneously  attack  all  the  components  of  a  substation.  Interdiction-resource  and 
system-restoration  data  follow  that  of  Sahneron  et  al.  [2004-1].  One  unit  of  resource  is 
required  to  interdict  an  overhead  line,  two  units  for  a  transfonner,  and  three  units  for  a 
bus  or  a  substation.  Long-term  disruption  analysis  assumes  the  following  repair  times:  72 
hours  for  overhead  lines,  360  hours  for  bus,  and  768  hours  for  a  transformer  or 
substation.  The  cost  of  load  shed  is  assumed  to  be  $l,000/MWh  for  all  customers.  Each 
type  of  component  requires  the  same  amount  of  resource  to  defend.  This  may  not  be 
realistic  as  the  cost  of  defending  an  overhead  power  line  may  be  significantly  different 
than  the  cost  of  defending  a  substation.  However,  the  assumption  of  equal  costs  suffices 
to  demonstrate  the  methodology. 

Table  4  shows  how  ADKI  solves  DAD.  These  results  cover  the  following 
conditions:  RTS  3-Area,  only  buses  are  interdicted;  nine  units  of  interdiction  resource 
(interdict  three  buses);  and  six  units  of  defensive  resources  (protect  six  buses).  This  is  a 
short-duration  study,  evaluating  only  one  hour  of  operation  after  an  attack.  For  short- 
duration  cases,  the  objective  of  the  attacker  is  to  maximize  power  disruption;  component 
restoration  and  load  duration  curves  are  ignored.  For  each  iteration,  the  table  shows  the 
set  of  defended  components  from  DKI  ( P ) ,  the  resulting  set  of  interdicted  buses  from  I- 
DCOPF,  the  cost  of  disruption,  and  the  lower  and  upper  bounds  on  the  DAD  solution. 

For  these  conditions,  defending  fewer  than  10%  of  the  buses  (six  out  of  seventy-three) 
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reduces  the  cost  of  the  worst-case  interdiction  by  over  20%  ($14.23  x  10^  to  $1 1.05x1 05). 
In  this  example,  the  optimal  defense  is  found  at  the  final  iteration.  However,  that  is  not 
always  the  case.  It  is  possible  that  the  algorithm  identifies  the  optimal  solution  but  the 
upper  bound  requires  extra  iterations  to  converge  to  the  value  of  that  optimal  solution. 
Figure  4  shows  a  plot  of  the  upper  and  lower  bound  for  this  problem  as  a  function  of 
solution  time. 


Iteration 

Defended  Components 

Interdiction  Set 

Cost 

($xl05) 

LB 

($xl05) 

UB 

($xl05) 

1 

Undefended 

{315,316,  323} 

14.34 

8.22 

14.37 

2 

{113,215,223,315,316,318} 

{313,321,323} 

11.73 

9.98 

11.73 

3 

{115,  123,213,218,315,323} 

{215,216,  223} 

12.69 

10.18 

11.73 

4 

{118,  123,216,218,318,323} 

{313,315,316} 

12.01 

10.64 

11.73 

5 

{113,  115,215,223,315,323} 

{118,218,318} 

11.57 

10.70 

11.57 

6 

{113,215,218,223,315,323} 

{115,  118,318} 

11.30 

10.74 

11.30 

7 

{113,  118,223,315,318,323} 

{115,215,218} 

11.05 

10.95 

11.05 

Table  4.  Iterations  of  ADKI  to  solve  DAD  for  the  RTS  3-Area  Case.  Only  buses  are 

interdicted.  Three  components  are  attacked  and  six  are  defended.  Duration  of 
study  is  one  hour. 
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DAD  Bounds  vs  Time  for  RTS  3  Area 


Figure  4.  Upper  and  lower  bounds  on  DAD  versus  time  using  ADKI. 

In  addition  to  identifying  critical  components,  decision-makers  should  know  the 
benefit  gained  by  defense.  Figure  5  shows  the  drop  in  total  cost  as  the  number  of 
protected  components  increases.  These  results  are  for  the  RTS  3-Area  case  assuming 
only  buses  and  substations  can  be  attacked,  with  interdiction  resources  of  nine,  six,  and 
three  units.  When  two  components  are  interdicted,  defense  of  one,  two  or  three 
components  lowers  disruption  significantly.  The  value  of  defense  tapers  off  then,  so  that 
defending  six  components  is  not  much  better  than  defending  three.  The  curve  for  three 
interdicted  components  does  not  exhibit  this  behavior:  defending  added  components 
steadily  lowers  the  amount  of  disruption.  This  type  of  information  is  necessary  to 
perform  cost-benefit  analysis  when  planning  to  defend  a  system. 
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Drop  in  Total  Cost  as  Additional  Components  Are  Defended 


Figure  5.  Total  operating  cost  achieved  for  various  amounts  of  interdiction  and  defensive 
resources. 

ADKI  successfully  solves  DAD  for  small  networks  such  as  the  RTS  3-Area  grid. 
The  ultimate  goal  is  to  solve  DAD  for  realistically  sized  networks.  However,  solving 
DAD  using  the  ADKI  requires  efficient  solution  of  the  AD  subproblem,  i.e.,  I-DCOPF, 
and  our  computational  experience  shows  that  solving  this  problem  for  a  large,  defended 
network  is  extremely  difficult. 

In  fact,  the  vast  majority  of  time  required  to  solve  DAD  is  spent  solving  the  AD. 
Figure  6  shows  a  histogram  of  the  fraction  of  DKI  solution  time  to  total  DAD  solution 
time.  This  data  is  from  the  RTS  3-Area  with  various  combinations  of  attack  and  defense 
resource  levels.  In  all  cases,  the  amount  of  time  to  solve  the  DKI  model  is  a  very  small 
fraction  of  the  total  solution  time,  always  less  than  1%.  Scaparra  and  Church  [2006] 
make  a  similar  observation  stating  that  solving  their  interdiction  model  is  “the  most 
computationally  expensive  operation  of  the  procedure.”  Thus,  the  primary  obstacle  to 
solving  DAD  for  large  networks  is  I-DCOPF  solution  time.  The  next  chapter  explores  a 
method  to  reduce  this  time. 
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Fraction  of  DKI  Time  to  Total  Time 


0  0.001  0.002  0.003  0.004 
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Figure  6.  Histogram  of  the  time  required  to  solve  the  DKI  model  as  a  fraction  of  total  DAD 
algorithm  time.  This  figure  implies  that  the  vast  majority  of  the  time  spent 
solving  DAD  by  ADKI  is  spent  in  solving  the  AD  subproblem. 
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III.  NETWORK  DUAL  RELAXATION 


As  noted  in  the  previous  chapter,  the  vast  majority  of  computational  time  required 
to  solve  DAD  is  dedicated  to  solving  AD,  i.e.,  I-DCOPF.  Consequently,  significant 
reductions  in  DAD  computational  time  can  be  achieved  by  reducing  I-DCOPF  solution 
times.  I-DCOPF  is  solved  using  a  decomposition-based  algorithm  [Sahneron  and  Wood 
2007]  in  which  a  subproblem  and  master  problem  are  solved  iteratively  until  the  lower 
and  upper  bounds  converge  to  the  optimal  value.  Improving  either  the  upper  bound  or 
lower  bound  can  potentially  improve  total  solution  time  for  I-DCOPF. 

With  the  exception  of  the  admittance  constraint,  the  DCOPF  model  that  is 
embedded  within  I-DCOPF  is  an  example  of  a  minimum  cost  network  flow  problem, 
which  can  be  solved  as  a  MIP  or,  even  more  efficiently,  by  decomposition.  Furthermore, 
the  admittance  constraint  is  non-linear  in  the  interdiction  model,  requiring  extra 
constraints  to  linearize  in  I-DCOPF.  Removing  the  admittance  constraint  leads  to  a 
relaxation  on  DCOPF  and  the  resulting  solution  would  yield  a  lower  bound  on  the  actual 
DCOPF  cost.  However,  our  interest  is  not  actually  in  the  disruption  provided  by  the 
relaxed  model,  but  in  the  solution  to  I-DCOPF  assuming  the  interdiction  set  from  the 
relaxation.  Therefore,  the  attack  plan  from  the  relaxed  model  can  be  assessed  with 
DCOPF  to  obtain  a  more  accurate  bound  on  I-DCOPF.  If  such  a  model  can  find  an 
acceptable  lower  bound  quickly,  overall  solution  time  for  the  decomposition  algorithm 
that  solves  I-DCOPF  should  improve. 

A.  MAXIMIZING  MINIMUM  COST  IN  A  NETWORK 

Israeli  and  Wood  [2002]  develop  a  model.  Maximizing  the  Shortest  Path  (MXSP), 
to  solve  the  AD  problem  for  a  shortest  path  network.  MXSP  assumes  a  directed  network 
and  interdicts  arcs.  If  an  arc  is  interdicted,  a  penalty  is  added  to  that  arc  length.  The 
penalty  is  made  sufficiently  high  so  that  no  interdicted  arc  is  on  the  shortest  path.  MXSP 
is  a  max-min  problem.  This  is  converted  into  a  standard  maximizing  MIP  by  temporarily 
fixing  the  set  of  interdicted  components,  taking  the  dual  of  the  inner  (i.e.,  shortest  path) 
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problem  with  the  given  interdiction  set,  and  releasing  the  interdiction  set.  The  resulting 
MIP  can  be  solved  by  standard  techniques. 

Although  MXSP  is  defined  for  a  shortest  path  problem,  the  method  developed  by 
Israeli  and  Wood  can  be  applied  to  a  more  general  minimum  cost  network  flow  problem. 
The  formulation  for  Maximizing  the  Minimum  Cost  Flow  (MXMC)  follows: 

Indices  and  Index  Sets: 

/,  j  e  N  Set  of  nodes 

(/,/)  e  A  Arcs  directed  from  i  to  j 

Parameters  and  [units]  if  applicable: 

cL  j  Flow  cost  for  arc  (/,/)[$  /  unit  flow] 

di  .  Additional  damage  cost  to  arc  (i,  j )  [$  /  unit  flow] 

lr  Net  flow  (>0  at  supply,  <  0  at  demand,  =  0  transshipment) [flow] 

ut  .  Upper  bound  on  flow  for  arc  (/,  j ) [flow] 

r.  j  Resource  required  to  interdict  arc  (/',  j )  [$] 

r0  Total  interdiction  resource  [$] 

Variables: 

cf  .  1  if  arc  (z',y)  is  interdicted;  0  otherwise 

ytJ  Flow  on  arc  (/,  /) 
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Formulation: 


(MXMC) 

max  min 

Se A  yeY 

X  (cu+diAj)yu 

{U)*A 

s.t. 

X  y<j  -  X  yj,i=hij 

Vi  e  N 

w 

V<u 

Sl,j  l,J 

V(/,y)eX 

[-«,J 

O 

Al 

V(z,y)eX 

[-«,,] 

where  A  =  l  8  e  {0,1}  |  £  rUJSUJ  <r0 
{  (UM 


The  dual  variables  for  each  constraint  are  shown  in  square  brackets.  Taking  the  dual  of 
the  inner  minimum  cost  yields  the  following  MIP: 


(MXMC-D) 


max 

x,a,7t 


X/,7r/~  X  Uuau 

ieN 


s.t. 


*i-Kj-ai,j-dl.Aj^Ci.j 


aU  *  0 

5  e  A 


V  (hj)  e  A 

V  {Uj)  e  A 


B.  RELAXED  MODEL  FORMULATION 

The  solution  to  MXMC  identifies  an  optimal  set  of  arcs  in  a  directed  network  to 

interdict  in  order  to  maximize  cost.  MXMC  can  be  used  to  interdict  an  electrical  power 

grid  with  lines  equivalent  to  arcs  and  buses  equivalent  to  nodes  in  a  directed  network. 

However,  I-DCOPF  can  model  interdiction  of  lines,  buses,  substations,  and  generators. 

In  order  to  use  the  MXMC  model  to  predict  interdiction  sets  for  an  electrical  power  grid, 

the  grid  must  be  converted  to  an  equivalent  directed  network.  We  refer  to  the  resulting 

formulation  as  the  Network  Dual  Relaxation  (NDR)  model:  NDR  converts  an  electrical 

power  grid  into  a  directed  network,  relaxes  the  impedance  constraint,  and  implements  the 
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corresponding  interdiction  model.  That  is,  NDR  is  the  same  as  MXMC-D  applied  to 
electrical  power  grids.  The  steps  for  converting  an  electrical  power  grid  into  an 
equivalent  directed  network  are: 

•  Define  “infinite  capacity”  as  the  sum  of  all  load  demand  by  all  customers. 

•  Electrical  buses  are  represented  by  two  nodes,  inlet  and  outlet,  connected  by 
an  arc  with  zero  cost  and  infinite  capacity.  Interdicting  this  internal  arc  is 
equivalent  to  interdicting  the  bus.  All  arcs  entering  the  bus  enter  at  the  inlet 
node  and  all  arcs  leaving  the  bus  leave  from  the  outlet  node. 

•  Electrical  power  lines  are  represented  by  two  anti-parallel  arcs.  An  electrical 
power  line  is  equivalent  to  an  undirected  arc  joining  two  buses.  To  create  a 
directed  network,  one  arc  must  originate  at  the  outlet  node  of  each  connected 
bus  and  terminate  at  the  inlet  node  of  the  other.  These  arcs  have  zero  cost  and 
capacity  equal  to  the  maximum  power  for  the  line. 

•  Define  four  new  nodes:  Source,  Demand,  Generation,  and  Shed.  All  flow 
originates  at  the  Source  node,  passes  through  either  the  Generation  or  the 
Shed  node,  and  terminates  at  the  Demand  node.  The  Generation  node  is  the 
entry  point  into  the  electrical  network.  Flow  through  the  Shed  node  represents 
unmet  demand  (i.e.  load  shedding). 

•  Create  a  zero-cost,  infinite-capacity  arc  between  the  Source  and  Generation 
nodes  and  between  Source  and  Shed  nodes. 

•  Create  an  arc  for  each  generator  from  the  Generation  node  to  the  inlet  node  of 
the  corresponding  bus.  Arc  capacity  is  set  to  the  capacity  of  the  generator  and 
cost  is  the  cost  of  generation. 

•  Create  an  arc  with  infinite  capacity  and  cost  equal  to  the  cost  of  load  shed 
from  the  Shed  node  to  the  Demand  node. 

•  Create  an  arc  for  each  customer  demand  from  the  outlet  node  of  each  bus  to 
the  Demand  node.  The  capacity  equals  demand  at  that  bus,  and  the  cost  is 
zero. 

This  process  is  demonstrated  in  the  following  example.  Figure  7  shows  a  simple 
three-bus  electrical  grid  and  Figure  8  is  the  directed-network  equivalent.  Tables  5,  6,  and 
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7  show  the  equivalent  components,  costs,  and  capacities  for  the  DCOPF  model  using  the 
electrical  grid  and  the  NDR  model  using  the  network  equivalent. 

The  penalty  factor  added  to  each  interdicted  arc  ( d:  .  in  MXMC)  is  constant  for 

all  arcs  in  the  NDR  model.  We  set  this  equal  to  the  cost  of  load  shed  and  redefine  it  as 
d shed  •  Since  all  generation  costs  are  non-zero,  this  value  for  the  penalty  factor  properly 

models  an  interdicted  arc.  (Excessively  large  penalty  factors  can  slow  NDR  solution  time 
significantly.) 

The  interdiction  sets  for  NDR  and  I-DCOPF  are  equivalent  in  this  example.  For 
example,  interdicting  arc  (Blin,Blout)  in  Figure  8  is  equivalent  to  interdicting  bus  B1  in 

Figure  7.  Interdicting  a  line  requires  one  interdiction  variable  for  both  of  the  associated 
arcs  in  the  NDR  directed  network.  The  following  two  equations  demonstrate  the  NDR 
formulation  to  interdict  line  L12: 

-;rB2in  -QrBlout,B2m  ~dShedShn  <  0 
;TB2out  ~nmin  _QrB2out,Blm  12  -0 

To  interdict  substations,  we  use  one  interdiction  variable  in  the  equations  for  all 
associated  buses. 

As  formulated  above,  NDR  only  allows  for  one  consumer  sector.  Additional 
consumer  sectors  can  be  modeled  by  adding  a  unique  Demand  node  for  each.  Also,  NDR 
does  not  model  multi-period  cases  with  varying  loads.  We  approximate  multi-period 
cases  by  solving  NDR  for  a  single  aggregate  period. 

We  do  not  consider  component  restoration  time  in  the  current  NDR  formulation. 
When  solving  I-DCOPF,  the  interdiction  set  for  a  short-duration  study  may  differ 
significantly  from  that  of  a  long  duration  study  [Salmeron  and  Wood  2007].  Interdiction 
sets  in  long  duration  studies  generally  consist  of  components  with  long  restoration  times. 
NDR  identifies  the  set  of  components  to  interdict  that  maximizes  short-term  disruption 
This  limitation  in  NDR  can  be  overcome  by  only  considering  components  with  long 
restoration  times  (such  as  buses  or  substations).  The  result  is  analogous  to  a  long- 
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duration  I-DCOPF  study.  Implementing  multi-period  cases  and  component  restoration 
into  NDR  is  conceptually  easy,  and  can  be  accomplished  in  future  research. 

NDR  produces  a  feasible  interdiction  plan,  and  solving  the  DCOPF  model  with 
that  plan  implemented  evaluates  the  plan’s  cost  and  provides  a  valid  lower  bound  on  z* , 
the  optimal  objective  to  I-DCOPF.  Our  computational  experience  shows  that  this  bound 
is  very  good,  and  often  tight:  an  optimal  interdiction  plan  from  NDR  is  often  the  optimal 
solution  to  I-DCOPF.  This  makes  the  effort  to  solve  NDR  worthwhile. 
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DCOPF  Model 

Network  Equivalent 

Component 

type 

Component 

Component 

type 

Component 

Bus 

jBl} 

Node 

{B1,„,B10„,} 

Bus 

{B2} 

Node 

{B2,„,B2„} 

Bus 

{B3} 

Node 

{B3in,B3ou,} 

Fine 

{L12} 

Arc 

{( B  loul .  B2in ) ,  { B20ul ,  B  lin )} 

Fine 

{L23} 

Arc 

{(B2I„,B3„),(B3„,B2,n)} 

Generator 

{Gl} 

Arc 

{(Gen,Bl,n)} 

Generator 

{02} 

Arc 

{(Oen,B2in)} 

Consumer 

{Dl} 

Arc 

{(Blout,F>em)} 

Consumer 

{D3} 

Arc 

{(B3„,Dem)} 

Interdiction 

8  e  A 

Interdiction 

8  e  A 

NA 

No  equivalent  component 

Node 

{Sup,  Dem,  Gen,  Shed} 

NA 

No  equivalent  component 

Arc 

{(Sup, Shed) ,  (Shed, Dem)} 

Table  5.  Equivalent  components  for  three  bus  sample  grid  in  DCOPF  model  and  the 
network  equivalent  model. 


DCOPF  Model 

Network  Equivalent 

Item 

Cost 

Component 

Cost 

Gl 

^G1 

(Gen, Bl,,) 

c 

^G\ 

G2 

^G2 

(Gen,B2,„) 

r 

2 

Shed 

/ 

(Shed, Dem) 

r 

^ Shed 

Table  6.  Equivalent  cost  data  for  three  bus  DCOPF  and  network  equivalent. 
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DCOPF  Model 

Network  Equivalent 

Item 

Capacity 

or  Demand 

Component 

Capacity 

G1 

— Gen 

Pg\ 

(Gen,Bl„) 

uG1 

G2 

— Gen 

Pg2 

(Gen,B2in ) 

UG2 

L12 

— Line 

Pl\2 

(Bl™„B2j,(B2„,Blm) 

UL12 

L23 

— Line 

P  1.23 

(B2„u„B3m),(B3oil„B2m) 

UL2  3 

D1 

dDl 

(Blout,Dem) 

Umd 

D3 

dDi 

(B3out,Dem) 

U Bid 

Table  7.  Equivalent  capacity  and  demand  data  for  three  bus  DCOPF  and  network 
equivalent. 

C.  COMPUTATIONAL  EXPERIENCE 

As  with  ADKI,  we  have  implemented  NDR  using  the  Xpress-MP  2006 
optimization  system  on  a  3.72  GHz  desktop  computer  with  3GB  of  RAM.  The  NDR 
MIP  is  exported  and  solved  using  CPLEX  10.0. 

In  the  following  discussion,  z*  represents  the  true  optimal  disruption,  z(SI )  is  the 

disruption  for  the  incumbent  best  interdiction  plan  (and  a  lower  bound  on  z* )  obtained  by 
solving  I-DCOPF  using  the  decomposition  method  presented  in  Salmeron  and  Wood 
[2007],  and  zi  is  the  best  upper  bound  on  z*  from  the  same  method.  With  sufficient 
computational  time,  z(8! )  and  z7  converge  to  z  .  The  disruption  resulting  from  the 

optimal  interdiction  plan  recommended  by  NDR  is  denoted  z(S*NI:R) .  We  calculate 
optimality  gaps  for  NDR  using  z7 .  We  report  all  disruption  in  terms  of  total  cost. 

We  first  test  NDR  on  the  RTS  3-Area  network.  We  assume  that  only  buses  are 
interdicted.  Table  8  shows:  z(S*NDR)  and  the  time  required  to  reach  that  solution  (tNDR  ); 


31 


z(8j)  and  the  time  required  to  reach  that  solution  ( t, ).  Also  shown  is  the  incumbent 
objective  value  z(S,)  and  the  deviation  from  z*  at  tNDR  .  In  the  case  of  three  interdicted 

buses,  NDR  exactly  predicts  z*  after  0.36  seconds.  I-DCOPF  requires  7.7  seconds  to 
find  the  corresponding  optimal  solution.  In  all  cases  tested,  NDR  identifies  an  optimal 
interdiction  plan,  although  this  need  not  be  not  true  in  general.  This  example 
demonstrates  that  NDR  has  the  potential  to  produce  a  quality  lower  bound  for  z*  in  a 
fraction  of  the  time  required  by  I-DCOPF. 


Number  of 
Interdicted 
Buses 

NDR 

I-DCOPF  1 

'"NDR 

(sec) 

z(Kdr) 

($xl05) 

Deviation 
from  z* 

z(<57)  at  tNDR 
($xl05) 

Deviation 
of  z(£7) 
from 

z  at  tNDR 

ti 

(sec) 

z(5:) 

($xl05) 

2 

0.66 

8.13 

0% 

1.45 

459% 

14.2 

8.13 

3 

0.36 

14.34 

0% 

6.81 

111% 

7.7 

14.34 

4 

0.61 

19.94 

0% 

11.77 

69% 

45.6 

19.94 

5 

0.56 

23.49 

0% 

18.29 

28% 

119.2 

23.49 

Table  8.  Solution  times  and  resulting  objective  values  for  NDR  and  I-DCOPF.  Test  case  is 
RTS  3  Area,  only  buses  are  interdicted,  t,  is  the  time  for  I-DCOPF  to  find  the 
optimal  interdiction,  convergence  requires  additional  time. 


Next  we  test  NDR  on  a  portion  of  the  North  American  power  grid.  The  region 
considered  consists  of  5,000+  buses,  6000+  lines  (including  1000+  transformers),  and 
500+  substations.  Total  system  load  is  close  to  70,000  MW,  and  there  are  90,000+  MW 
of  available  generation  distributed  in  500+  generating  units.  For  the  purpose  of  this 
paper,  we  refer  to  this  region  as  the  Large  Sample  Grid  (LSG). 

We  approximate  a  three-step  load-duration  curve  at  each  bus  consisting  of  a  peak 
period  covering  20%  of  the  time,  a  normal  period  covering  50%  of  the  time  during  which 
demand  is  75%  of  peak,  and  a  “valley  period”  covering  30%  of  the  time  during  which 
demand  is  45%  of  peak.  We  also  make  the  cost  of  load  shed  dependent  on  the  period, 
with  values  1,000,  800  and  500  $/MWh,  respectively.  Since  NDR  does  not  model 
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multiple  periods,  we  approximate  the  solution  using  the  peak  demand  period.  The 
duration  of  this  study  is  360  hours  which  is  sufficient  time  to  restore  all  interdicted 
components. 

For  this  test,  we  again  assume  that  only  buses  are  interdicted.  Each  scenario  runs 
for  100  minutes  (6000  seconds)  or  until  a  gap  of  s  =  1%  is  reached,  whichever  occurs 
first. 

Table  9  displays  results  for  this  test.  In  the  case  with  three  interdicted  buses,  I- 
DCOPF  outperforms  NDR  both  in  speed  and  quality  of  solution  (  z(S ,)>  z(d*NDK)  ).  In  all 

other  cases,  NDR  predicts  interdictions  at  least  as  good  as  those  found  by  1-DCOPF, 
always  with  significant  time  savings.  1-DCOPF  only  converges  within  the  allotted  100 
minutes  in  the  case  with  two  interdicted  buses.  The  best  upper  bound  on  optimal  cost 
(  Zj )  is  shown  for  the  cases  in  which  I-DCOPF  did  not  converge.  Comparing  the  solution 
of  NDR  to  the  best  bound  from  1-DCOPF  shows  how  close  NDR  is  to  the  true  optimal 
solution.  In  the  case  of  four  interdicted  buses,  both  the  NDR  and  I-DCOPF  objective 
values  are  within  approximately  15%  of  the  true  optimal  value.  A  similar  calculation 
shows  that  the  NDR  objective  value  is  within  approximately  20%  of  the  true  objective 
value  for  the  case  with  seven  interdicted  buses,  while  the  I-DCOPF  objective  value  is 
only  within  58%. 
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Number 

Interdicted 

Buses 

N 

[DR 

I-DCOPF  I 

'"NDR 

(sec) 

z(Kdr) 

($xl08) 

z(Sj)  at  tNDR 
($xl08) 

t, 

(sec) 

z(c>,) 

($xl08) 

zi 

($xl08) 

2 

49 

3.23 

2.16 

485 

3.23 

- 

3 

58 

2.81 

2.94 

3610 

3.65 

3.91 

4 

25 

3.96 

1.85 

5757 

3.39 

4.82 

5 

20 

5.09 

2.19 

3504 

5.09 

5.87 

6 

18 

5.67 

2.40 

187 

5.46 

6.92 

7 

17 

6.70 

3.41 

3191 

5.09 

8.05 

Table  9.  Results  for  NDR  and  I-DCOPF  applied  to  the  Large  Sample  Grid.  The  t,  column 
gives  the  time  for  I-DCOPF  to  find  the  incumbent  interdiction  plan.  Maximum 
allowed  time  is  6000  seconds.  The  best  bound  on  cost  (z7 )  is  shown  for  the  cases 
when  I-DCOPF  does  not  find  the  optimal  interdiction  in  the  allotted  time. 
Duration  of  study  is  360  hours. 


NDR  has  great  potential  when  studying  interdictions  against  defended  networks. 
Solving  I-DCOPF  for  a  realistically  sized,  defended  power  grid  is  extremely  difficult  and 
is  the  principal  obstacle  to  solving  DAD.  To  illustrate  this,  we  repeat  the  above 
experiment  on  LSG  but  with  ten  buses  defended.  Again  we  assume  that  only  buses  are 
interdicted  and  we  limit  each  scenario  to  100  minutes  of  computation  time. 

Table  10  displays  the  results  of  this  experiment.  For  all  of  the  cases  considered, 
NDR  outperforms  I-DCOPF  in  terms  of  solution  speed  and  solution  cost.  I-DCOPF  does 
not  converge  within  the  allowed  time  for  any  of  the  cases. 

Table  1 1  shows  the  optimality  gap  for  z(S*NDR )  and  z{8j )  for  both  the  undefended 
and  defended  network  (based  on  the  data  in  Tables  9  and  10,  respectively).  The 
optimality  gap  is  based  on  z7 ,  the  best  upper  bound  on  z*  found  by  I-DCOPF  in  the 

allotted  time.  The  optimality  gap  for  I-DCOPF  on  the  defended  network  is  significantly 
larger  than  that  for  the  undefended  network,  demonstrating  that,  for  these  scenarios,  the 
defended  network  is  more  difficult  to  solve.  Although  the  values  for  NDR  show  a 
general  upward  trend  between  undefended  and  defended,  the  effect  is  not  as  pronounced 
as  for  I-DCOPF. 
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Number  of 
Interdicted 
Buses 

NDR 

I-DCOPF  1 

'"NDR 

(sec) 

*0 

($xl08) 

z(Sj)  at  tNDR 
($xl08) 

t, 

(sec) 

z(cV) 

($xl08) 

zi 

($xl08) 

2 

178 

2.50 

1.84 

4673 

2.42 

2.68 

3 

269 

3.00 

2.16 

3944 

2.16 

3.46 

4 

302 

3.50 

2.17 

115 

2.17 

4.35 

5 

284 

4.00 

2.33 

4670 

2.74 

5.25 

6 

71 

4.14 

2.33 

158 

2.83 

6.14 

7 

48 

5.30 

2.67 

140 

3.25 

7.10 

Table  10.  Result  of  NDR  and  I-DCOPF  for  the  Large  Sample  Grid  with  ten  buses  defended. 

NDR  outperforms  I-DCOPF  in  terms  of  speed  and  quality  of  solution  in  all  cases. 
I-DCOPF  reached  the  maximum  allowed  time  of  6000  seconds  in  all  cases.  The 
duration  of  this  study  is  360  hours. 


Number  of 
Interdicted 
Buses 

Optimality  Gap  for 
Undefended  Network 

Optimality  Gap  with  Ten 
Buses  Defended 

NDR 

I-DCOPF 

NDR 

I-DCOPF 

2 

0% 

0% 

7% 

11% 

3 

39% 

7% 

15% 

60% 

4 

22% 

42% 

24% 

101% 

5 

15% 

15% 

31% 

92% 

6 

22% 

27% 

48% 

117% 

7 

20% 

58% 

34% 

118% 

Table  1 1 .  Optimality  gap  for  NDR  and  I-DCOPF  for  undefended  and  ten-bus  defense. 

Optimality  gap  is  based  on  z7  ,the  best  upper  bound  on  z  found  in  the  allowed 

6000  seconds  and  the  lower  bounds  z(8*NDR )  and  z{81 )  from  the  NDR  and  I- 
DCOPF,  respectively. 


The  DKI  algorithm  for  DAD  can  be  implemented  with  NDR  solving  the  AD 
subproblem.  The  danger  with  this  is  that  NDR  may  under-predict  the  disruption  of  a 
given  interdiction  plan,  thus  over-predicting  the  value  of  that  defense.  However,  the 
rapid  solution  times  of  NDR  make  it  a  useful  adjunct  for  studying  DAD,  and  we  solve 
DAD  here,  approximately,  for  the  LSG  Area  using  this  technique.  We  only  consider 
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substations,  with  sufficient  resources  to  interdict  five  and  defend  ten.  We  allow  fifty 
iterations  of  the  NDR-DKf  interaction,  and  choose  the  best  three  defenses  for  further 
analysis  using  I-DCOPF  (the  fifty  iterations  required  approximately  5.5  hours  of 
computational  time).  Figure  9  shows  the  total  cost,  z(S*NDR)  ,  at  each  iteration,  and  Table 

12  shows  the  complete  results,  including  z{S*NDR) ,  peak  power  shed,  and  total  energy 

shed,  for  the  top  three  defensive  plans  as  well  as  for  the  undefended  case.  We  evaluate 
the  top  three  defensive  plans  using  1-DCOPF  with  a  maximum  computation  time  of  eight 
hours.  Table  13  shows  the  results:  z{dI)  and  z,  (the  lower  and  upper  bound  on  z*, 

respectively),  and  optimality  gap.  For  example,  with  Defensive  Plan  1,  z*  is  bounded  on 
the  interval  [5.48,  8.53]  ($xl08),  which  is  an  improvement  over  the  undefended  case. 

Figure  10  plots  the  upper  and  lower  bound  on  z*  for  Defensive  Plan  1  using  1-DCOPF, 
demonstrating  the  slow  rate  of  convergence  of  the  upper  bound. 


Total  Cost  vs  Iteration  Using  NDR  and  DKI  to  Solve  DAD 


Iteration  Number 


Figure  9.  Iterations  to  solve  DAD  for  the  Large  Sample  Grid  Area  using  NDR  and  DKI. 

Five  substations  are  interdicted  and  ten  defended.  The  optimal  defense  is  found  at 
iteration  2.  Defensive  plans  considered  at  iteration  1  and  44  are  the  second  and 
third  best  respectively.  Iteration  0  is  the  undefended  case. 
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Table  12. 


Table  13. 


Defensive 

Plan 

Iteration 

Number 

*0 

($xl08) 

Peak 

Power 

Shed 

(MW) 

Total 

Energy 

Shed 

(GWh) 

1 

2 

5.48 

4009.8 

402.9 

2 

1 

5.81 

2851.0 

478.1 

3 

44 

6.32 

3911.6 

529.1 

N/A 

9.97 

5679.4 

959.0 

Complete  results  for  top  three  defensive  plans  and  undefended  case  from  Figure 
9.  The  iteration  number  corresponds  to  the  iterations  of  Figure  9. 


Defensive 

Plan 

<S,) 

($xl08) 

zi 

($xl08) 

Optimality 

Gap 

1 

5.48 

8.53 

56% 

2 

5.81 

8.82 

52% 

3 

7.12 

9.76 

37% 

Results  of  I-DCOPF  for  LSG  Area  using  the  best  three  defensive  plans  from 
Figure  9.  Maximum  algorithm  time  is  8  hours.  z{81)  and  z1  are  lower  and  upper 
bounds,  respectively,  on  the  true  optimal  solution. 
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Upper  and  Lower  Bounds  from  l-DCOPF 


Figure  10. 


Upper  and  Lower  Bound  on  z  from  I-DCOPF  for  Defensive  Plan  1 ,  showing  the 
slow  rate  of  convergence  of  the  Upper  Bound 
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IV.  CONCLUSIONS  AND  RECOMMENDATIONS 


This  thesis  has  developed  mathematical  models  to  identify  optimal  sets  of 
components  in  an  electrical  power  grid,  the  defense  of  which  would  minimize  the 
disruption  caused  by  an  adversary’s  attack.  The  ultimate  goal  of  this  research  is  to  apply 
these  models  to  actual  systems  in  an  effort  to  enhance  the  resilience  of  the  U.S.  electrical 
power  grid. 

In  a  trilevel  defender-attacker-defender  (DAD)  model,  a  defender  attempts  to 
minimize  potential  damage  to  a  system  by  protecting  key  components  with  limited 
(defensive)  resources,  while  an  attacker  seeks  to  inflict  maximum  damage  by  destroying 
vulnerable  components  using  limited  (offensive)  resources.  With  fixed  defenses,  the 
DAD  problem  becomes  a  bilevel  attacker-defender  (AD)  problem  that  optimizes  system 
interdiction  given  optimal,  post-interdiction,  system  operation.  Previous  research  has 
developed  optimization  models,  called  I-DCOPF,  to  solve  (or  approximate  the  solution 
of)  the  AD  problem  for  electrical  power  grids. 

We  develop  the  “Defense  of  Known  Interdictions”  model  (DKI)  that  is  part  of  a 
decomposition  algorithm  that  can  solve  the  defensive  DAD  problem  for  realistically- 
sized  electrical  networks,  provided  that  I-DCOPF  can  be  solved  efficiently. 
Unfortunately,  a  lack  of  efficiency  in  this  regard  proves  to  be  a  major  obstacle.  Our 
computational  experience  indicates  that  solving  the  I-DCOPF  model  for  a  large  network 
is  extremely  difficult,  and  this  difficulty  greatly  increases  when  a  select  group  of  grid 
components  are  defended. 

We  explore  one  method  to  reduce  the  solution  time  for  I-DCOPF.  Currently,  I- 
DCOPF  is  solved  using  a  decomposition-based  algorithm  in  which  a  coordinating 
(master)  problem  and  an  operating  (sub-)  problem  yield  upper  and  lower  bounds, 
respectively,  on  the  optimal  solution.  By  relaxing  the  electrical  impedance  constraints  in 
the  operating  problem,  we  approximate  electrical  power  grid  behavior  as  a  minimum  cost 
network  flow.  Using  this  approximation,  we  develop  a  model  called  Network  Dual 
Relaxation  (NDR)  that  quickly  generates  a  solution  that  may  be  close  to  the  optimal 
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solution  of  the  original  I-DCOPF,  and  could  be  solved  even  faster  by  decomposition  (not 
implemented  in  this  work).  For  the  scenarios  tested,  NDR  produces  high-quality  lower 
bounds;  currently,  however,  the  only  way  to  guarantee  such  quality  is  by  solving  the 
exact  I-DCOPF  problem. 

We  recommend  that  future  research  implement  load-duration  curves  and 
component  restoration  into  NDR.  This  would  allow  NDR  to  better  approximate  I- 
DCOPF  solutions  for  both  long  and  short-tenn  problems. 

We  also  recommend  that  future  research  examine  methods  to  improve  the  upper 
bound  for  I-DCOPF.  A  model  that  quickly  predicts  the  upper  bound  for  I-DCOPF, 
coupled  with  NDR,  could  greatly  reduce  I-DCOPF  solution  times  and  help  solve 
realistically-sized  DAD  problems,  and  help  with  the  final  goal  of  enhancing  the  security 
of  the  U.S.  electrical  power  grid. 
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APPENDIX  A.  DCOPF  MODEL 


A.l  DC  OPTIMAL  POWER  FLOW  MODEL 


From  Salmeron,  Wood,  and  Baldick  [2005] 
Single-Period  Case 


Sets: 

i  e  I 

set  of  buses 

o 

1 — i 

W 

subset  of  reference  buses  (  7°  |= number  of  islands  in  the  system) 

geG 

set  of  generating  units 

g^Gi 

subset  of  generating  units  connected  to  bus  i 

l  el 

set  of  AC  transmission  lines  (and  transformers  modeled  as  AC  lines) 

I  eLDC 

set  of  DC  transmission  lines 

/  e  Lf‘s 

subset  of  AC  and  DC  lines  connected  to  bus  i 

1  e  LPar 

subset  of  lines  in  parallel  with  line  / 

c  eC 

set  of  consumer  sectors 

s  e  S 

set  of  substations 

ids 

subset  of  buses  at  substation  s 

/  e  Ls“b  subset  of  AC  and  DC  lines  connected  to  substation  s  (including 

transformers,  which  are  represented  by  lines) 

Parameters  (units,  if  applicable): 

o(/),  d(l)  origin  and  destination  buses,  respectively  of  AC  or  DC  line  /  (more  than 

one  line  with  the  same  o(l)  ,  cl(l)  may  exist) 

Kg) 

bus  for  generator  g ,  i.e.,  g  e  Gu,,) 
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s(i)  substation  s  e  S  associated  with  bus  i  e  Is 

dic  load  of  consumer  sector  c  at  bus  i  (MW) 

Pfme  transmission  capacity  for  AC  or  DC  line  /  (MW) 

Pf'n  maximum  output  from  generator  g  (MW) 

rn  x,  resistance  and  reactance  of  AC  line  /,  respectively  (p.u.).  (We  assume 

x,  »  r, ) 

B \  series  susceptance  for  AC  line  /,  calculated  as  B!  =  x,  /(if  +  xf )  (p.u.) 

R,,P,,EI  resistance  (Q),  set  point  (MW)  and  scheduled  voltage  (kV)  for  DC  line 

/ ,  respectively 

jUl  transmission  coefficient  (=  1  -  loss  coefficient)  on  DC  line  / ,  calculated 

as  /u,  =l-I2R/P  =  \-P2R/(E2P)  =  \-PR/E2  (p.u.) 

ha  generation  cost  for  unit  g  ($/MWh) 

fjc  load-shedding  cost  for  customer  sector  c  at  bus  i  ($/MWh) 

Decision  variables  (units): 

Pf‘n  generation  from  unit  g  (MW) 

Pfine  power  flow  on  AC  line  /  (MW) 

U, ,  V,  power  flow  from  the  “from”  to  the  “to”  bus  or  vice  versa,  respectively, 

for  DC  line  /  (MW).  Remark:  DC  lines  are  modeled  as  follows:  If 
U,  >  0  MW  are  sent  from  the  “from”  bus,  then  (1  —  ju,  )Ul  MW  are 
received  at  the  “to”  bus.  Similarly,  we  use  V ]  >  0  to  model  flow  from 
the  “to”  bus  to  the  “from”  bus. 

Sic  load  shed  (unmet)  for  customer  sector  c  at  bus  i  (MW) 
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phase  angle  at  bus  z  (radians) 


e, 


Formulation: 

(DCOPF):  min  £VT  +  E  I  /A 

’  ’  ’  ’  ’  g  i  c\dic>0 


S.t. 


PtLine  =Bl  (0o{l)  -0d(l)) 


V/ el 


X  1  pGen  X  1  pLine  .  X  1  pLine  . 

Z.  jrg  Z-i  /  Z—iri 

g  IeL\  le.L\ 

o(l)=i  d{l)=i 

E(-u,+m)+Z  w-^)=  EWc-s,c) 

/si^l  /eiDC| 

o(l)=i  d(l)=i 

pLine  ^  pLine  ^  pLine 


pGen  ^  pGen  <  pGen 
—g~rg  ~  g 

0<s,<d: 


ic  ic 


e:  =  o 


c\dic  >0 

V/elu  Ldc 
Vz',VgeG,. 

V  z ,  c  |  djc  >  0 
Vie/0 


(A.l) 


(A.2) 

(A.  3) 

(A.4) 
(A.5) 
(A.  6) 
(A.  7) 


Remark:  If  all  DC  loss  coefficients  and  all  generating  costs  are  non-zero,  an  optimal  solution 
to  the  above  model  should  not  contain  any  crossed-flows  (i.e.,  Uj  >  0,  V,  >0  simultaneously) 
on  the  DC  lines.  However,  if  any  of  those  hypotheses  fails,  multiple  optimal  solutions  may 
occur,  some  of  which  may  involve  crossed-flows  on  the  same  DC  line.  To  ensure  the  output  is 
displayed  correctly,  the  following  post-processing  of  the  solution  can  be  made: 


Power  across  DC  line  /  =  /JlUl  —  jU/V/,  V/  G  LDC  . 


Multi-Period  Case 

Our  DCOPF  model  must  be  extended  to  consider  periods  (or  blocks  of  hours)  for 
two  reasons: 

(1)  Demand  variation.  DCOPF  must  accommodate  changes  when  we  consider  a  staircase 
function  to  represent  our  load-duration  curve  (LDC), 

(2)  Repair  times.  As  the  system  is  restored  after  interdiction,  the  grid  topology  undergoes 
changes  that  must  also  be  incorporated  into  the  DCOPF  model. 
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Each  combination  of  an  LDC’s  period-subperiod  pair  and  a  restoration  stage  involves  a  new 
DCOPF  computation.  In  what  follows,  we  generically  call  each  of  these  triplets  a  “Time  Period,” 
or  simply  a  “Period”  (which  must  not  be  confused  with  the  period-subperiod  structure  for  the 
LDC). 

According  to  the  above,  we  must  extend  our  notation  for  the  single -period  DCOPF  in  order  to 
capture  changes  in  our  data  (load  and  shedding  cost)  and  our  decision  variables  (all  of  them)  for 
each  of  these  periods. 

We  need  substantially  new  notation  for  the  problem  with  time  periods. 

New  sets  and  parameters: 

t  e  T ,  set  of  periods 

Dt ,  duration  of  period  t  (hours) 

Extended  parameters  and  variables:  Same  definition  as  in  single-period  DCOPF,  but  now  for 
every  period  t: 


d,ic’  fn 


P 

tie  9  tg 


Gen 


utI,vtl 


6». 


Model  changes: 


(DCOPF):  min 

pGen  pLme  SfifJ.V 


i4evt+e  z  f,A 


V  S 


i  c\dtic>0 


(S) 


Notice  that  the  new  objective  factors  in  the  duration  of  each  level  of  disruption,  given  by 
different  amounts  of  load  shedding,  Stic  ,and  their  costs,  ftic ,  which  are  period-dependent. 

Fikewise,  assuming  a  given  interdiction  plan,  the  new  constraints  for  each  period  must  reflect 
those  in  (A.2)-(A.7),  replicated  for  every  period  t,  but  ensuring  that  only  the  non-interdicted  or 
repaired  components  are  included  in  the  model.  However,  in  order  to  establish  such  formulation 
formally,  we  must  first  introduce  new  notation,  which  in  turn  will  allow  us  to  formulate  the 
interdiction  model. 
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A.2 


INTERDICTION  MODEL 


New  sets  and  parameters: 

6*cG,  i’ciu  Ldc  ,  I*  c=  /  ,  S*  cz  S  ,  subsets  of  interdictable  generators,  lines, 
buses,  and  substations,  respectively.  These  are  “directly  interdictable  components.” 

E,  =  L  yjG  cj  B  yj  S  ,  set  of  all  (directly)  interdictable  elements. 

G*lcG,  L**^LuLdc,  /"  c/,  S**  ^  S ,  subsets  of  directly  or  indirectly 

interdictable  generators,  lines,  buses,  and  substations,  respectively. 


{1,  if  component  e  remains  unrepaired  in  time  period  t  after  being  attacked 
0,  if  component  e  is  repaired  before  time  period  t  after  being  attacked 


t  ef ,  e  e  E,  .  Remark:  ft™ ,  /?“us ,  ,  and  denote  [5t  e  when  e=l  is  line,  or 


7  Bus 


7  Gen 


Sub 


e=i  is  a  bus,  or  e=g  is  a  generator,  or  e=s  is  a  substation,  respectively. 


Lt  a  Lyj  L  ,  subset  of  lines  that  might  remain  interdicted  (directly  or  indirectly)  in 
period  t.  Constructed  as  follows: 

/  g  L*  if  either: 

yCe=i,  or 

/?®us  =  1  for  some  i  \  l  e  Cu\  or 
/?tssub  =  1  for  some  s\l  e  Ls“b,  or 
ft™  =  1  for  some  11  \  lie  Lft 

G**  cz  G ,  subset  of  generators  that  might  remain  interdicted  (directly  or  indirectly)  in 
period  t. 

I**  cz  I ,  subset  of  buses  that  might  remain  interdicted  (directly  or  indirectly)  in  period  t. 
St  cz  S  ,  subset  of  substations  that  might  remain  interdicted  (directly)  in  period  t. 
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1  if  /  e  Z* 

0  otherwise 
[l  if  /  e  C* 

0  otherwise 
fl  ifgeG* 

0  otherwise 
fl  if g  e  G  * 
[o  otherwise 
1  if  iel* 

0  otherwise 
1  if  s  e  S* 

0  otherwise 
1  if  i  e  1° 

0  otherwise 


M  1'e" ,  Mfme ,  Mfus ,  Mss"b :  resource  required  to  interdict  generator  g,  line  /,  bus  i,  and 
substation  s,  respectively. 

M  ,  total  interdiction  resource  available  to  terrorists. 


New  decision  variables: 

Sg6'1 ,  S'Jne ,  8fus ,  8f‘b ,  binary  variables  that  take  the  value  1  if  generator  g,  line  /,  bus  i  or 
substation  s,  respectively,  are  interdicted,  and  are  0  otherwise. 
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Interdiction  Model 


Here,  we  introduce  the  model  that  will  be  referred  to  as  the  (linearized)  interdiction  model, 
I-DCOPF.  This  formulation  linearizes  the  admittance  equation  in  presence  of  interdiction.  For 
example,  if  a  line  can  be  interdicted  by  attacking  the  line  or  the  buses  that  it  connects,  the 
admittance  equation  would  be 

P,=B, {0o(l)  - %)(1  - )(1  - £0(/)Xl  - > 

where  the  (l-<5)  terms  force  the  power  across  the  line  to  be  zero  if  the  line  is  interdicted,  without 
imposing  any  further  restriction  on  the  phase  angles  at  each  connecting  bus.  To  linearize  the 
right-hand  side  of  the  above  equality,  we  consider  the  two  following  linear  constraints: 

[P,-BXeo{l)  - 6m )<Mt (Sl  +  8o(l)  +  Sd(l) ) 

| P, -B,(0oU) -0iV))  >  -MM+S^+S^)  ’ 

where  can  be  taken  as  M,  =  P,  +  Bl0o(l)  d(l) ,  and  0{  k  is  an  upper  bound  on  the  absolute 

value  of  the  maximum  phase  angle  difference  between  adjacent  buses  i,k  (e.g.,  0j  k=  \  radian). 
The  I-DCOOPF  model  formulation  is: 


(I-DCOPF):  max  min  Z  Z  h&Pug"  +  Z  Z  ft,i,cSu,c 

s  (PGe\pLme,s,e,u,v)  g  ^  TcCo 


EnLine  c-Line  \ 

Pull  5ll  ) 


V/eI,Vr 


P%"  +  Z  +  Z  + 

ie/j/sZf“  seSl/eif4 

Z  $7dune)  V/  e  L,\/t 

ll^llel?"6 

\  '  pGen  \  '  -pLine  .  V  1  pLine  . 

/ ,  P,g  ~  / .  P  i  +  2—t  c,/  + 

geGf  /ei|o(/)=i  leL\d(l)=i 

I (-u,+nv,)+  Y,(m,u,-v,)+  I  4,,  v«,r 

/Ei00!  /eZTi  c|<4.>0  d<4.>0 
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pLine  ✓  pLine 
*t,l  ~  *1 

Vt,leL\L " 

nLine  ^  nLine  /i  c* Line\ 

Pt,  <P,  (1-4  ) 

Vt,leleLnL*,  P'fe=\ 

nLine  /  nLine  /i  c*i?i/s  \ 

K,  ^p,  0-4  ) 

Vt,l,i\ief,  /eZnZfM?,^us=  1 

nLine  /  nLine  /1  oSttZ?  \ 

^./  ^  (!-4  ) 

V^/,j|seS\/eZnZ,“  jfi£*=l 

nLine  /  nLine  /1  c*Line  \ 

K,  ^  p,  0-4/  ) 

V?,  /,////  e  Z*  ,11  e  Z  n  Zf r ,  = 

pLine  ^  pLine 
*t,l  ~  ~^l 

Vt,leL\L ~ 

nLine  \  nLine  /■%  <?Line  \ 

Ki  ^~P,  (1-4  ) 

Vt,leLnL\  j3tLjne=] 

nLine  \  nLine  /1  c*5w,s'  \ 

PtJ  >~pi  0-4  ) 

\/t, l,i\i  ef,  leLnL^,^  =\ 

nLine  \  nLine  /1  c*.S«Z)  \ 

K,t  >-p,  0-4  ) 

Vt,l,s\s  g5*  ,/ sLnLf  ,tf“h  =1 

VZ,/,/7  //  e L\ll  e  ZnZf"',/^  = 

7-  jLine  >  pLine 

Ut,l  ~  *1 

VtJeL^XL” 

t  rLine  /  nLine  /1  c *Line\ 

ut,i  ^ pi  O-4  ) 

\Zt,leleLK:nL\  $f=\ 

7-  rLine  ^  nLine  /1  \ 

uo  ^ p,  (!-4  ) 

Vt,l,i\i el*,le LK nZf’.jfig"  =  1 

t  rLine  ^  nLine /-t  c'Sub  \ 

ut,i  ^ pi  (!-4  ) 

€  5*,/  e  Z,1*7  nZ^.yfig6  =  1 

Z/"~  <  Zf"K'(l -Sb,ne) 

VZ,/,//  //eZTj/eZ^nZf",/^  = 

t rLine  ✓  pLine 

Vt,l  —  *1 

\/t,leLrx:\L" 

j  rLine  /  nLine  /1  c *Line\ 

K,i  —*i  (1_^z  ) 

VtJeleL^nL,  tf™=\ 

j  rLine  /  nLine  / 1  ?Bus\ 

vtJ  ^ Pr  (1-4  ) 

Vt,l,i\ief,  /€Z4cnZf!“,^7=  1 

t  rLine  ^  nLine /-t  c *Sub\ 

vt,i  ^  Pr  0-4  ) 

Vf ,  /,  5  5  e  5* ,  /  e  Lx  nZf6 ,  $usb  =  1 

vtJ  ^ Pr  (1-4/  ) 

Vf,/,//|//  €  ZT,//  e  Z^  nLf;ar,j3b;e  = 

pGen  >•  pGen 
rt,g  ~  g 

\/t,g£G** 

pGen  ✓  pGen  si  oGen\ 
rt,g  ~rg  "  °g  ' 

Vt,g\geG\/3%=l 

pGen  <  pGenp  cBus  \ 

4,g  -  ‘g  l1  4(g)  1 

Vt,g\i(g)er,ffig)=l 

pGen  ,/  pGen/ 1  j?Sub  \ 

rt,g  ~rg  " 

Vt,g\sm)eS*,tf?(i{g))=l 
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s,u-dtu 

6>,=0  Vt,iel° 


Vt,i,c\dIJcX) 


pGe"  >  Q 

Vt,g 

PtL'ne  unrestricted 

\/t,l  e  L 

U]tJe  >  0 

\/t,l  e  L 

v,Te  ^  0 

\/t,I  e  Z 

o 

Al 

O 

Co*" 

Vt,/,c  dlic>0 

9t ,  unrestricted 

\/t,i£l° 

^  Mf"  Sf*  +  8\ine  +  £ 

geG  /eL  zel 

M?m  8?us  +  ^  A/f“*  <5;s“* 

sgS* 

All  ^-variables  are  binary  {0,1}. 
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